February 15th, 2012

Workshop: API Security for Mobile & Cloud

CSA Summit at RSA ConferenceLayer 7 will be at the RSA Conference next week, with CTO Scott Morrison and Director of Solutions Engineering Francois Lascelles both giving presentations. We’ll also be sponsoring the Cloud Security Alliance’s CSA Summit 2012, which will be taking place at the conference, on the 27th.

As part of our activities at the CSA Summit, we’ll be holding an enterprise-level workshop called API Security for Mobile & Cloud. This workshop, which will be held at the W Hotel, between 1pm and 5pm. Sessions will include:

  • Open APIs: The New Enterprise Imperative for Mobile & Cloud & Security Implications
  • API Security & Management Best Practices
  • Managing API Access Through OAuth
  • API Threat Protection & Metering
  • Enabling API Discovery & Developer Self-Service – An API Developer Portal Example

The workshop will include lunch, a networking session and guest speaker Caleb Sima of Andreessen Horowitz, one of the leading venture capital firms in Silicon Valley. Caleb has been engaged in the Internet security arena since 1996 and has become widely recognized as one of the leading experts in Web security, penetration testing and the identification of emerging threats. He is a highly in-demand speaker, press resource and is regularly featured in the Associated Press and global security media.

Space is limited, so if you’re going to be attending the CSA Summit, be sure to register for the workshop today.

December 2nd, 2011

FROM THE VAULT: Webinar – Managing API Security in SaaS & Cloud presented with the Cloud Security Alliance

Managing API SecurityThis week’s dip into the Layer 7 archive provides real-world advice on how providers of Cloud services can securely expose their APIs to third-party developers. Featuring input from eBay Chief Security Strategist Liam Lynch, Managing API Security in SaaS & Cloud will definitely be of interest to anyone who enjoyed our recent Webinar with Best Buy and Amazon Web Services.

For Cloud providers, API publishing has become critical to enabling integration with enterprise systems, sharing information across affiliate Web sites and providing mobile access to services. Of course, Cloud computing and API publishing create all sorts of new security concerns, which is where secure integration providers like Layer 7 come in.

This webinar was co-presented with our friends at the Cloud Security Alliance but it’s about more than just security. A truly safe and secure API publishing programming will have to tackle the full range of API management concerns. Specifically, Cloud API publishers need ways to address versioning and to meter consumption without burdening either developers or consumers.

To find out more, you can read about the webinar on the Layer 7 Web site or simply watch the recording in the player below.

November 11th, 2011

FROM THE VAULT: Webinar – Extending Enterprise Security into the Cloud presented with The 451 Group

CA World - CSA CongressNext week, Layer 7 will be exhibiting at a couple of events, both of which have a strong Cloud security focus. Between November 13 and 16, we’ll be in Las Vegas for CA World, where we’ll be setting up shop in the Cloud Section and the Security Section. On November 16 and 17, we’ll be at the Cloud Security Alliance Congress in Orlando.

With these Cloud security-focused events just around the corner, it seems like a good time to mention our archived webinar Extending Enterprise Security into the Cloud. Presented with The 451 Group, this webinar explored ways for enterprises to extend existing security investments into the Cloud without incurring significant costs or creating additional IT complexity.

Presentations from Layer 7 CTO Scott Morrison and 451 Group Security Analyst Steve Coplan, delved into how enterprises can leverage the identity, privacy and threat-protection technologies they already own to facilitate the secure adoption of SaaS, IaaS and other Cloud-based technologies.

You can read more about the webinar in our Resource Library or simply watch the recording in the player below, courtesy of the Layer 7 YouTube Channel.

And if you happen to be attending either CA World or the CSA Congress, stop by and say “hi”. CA World attendees can find us at Partner Pedestal 261A in the Cloud Section and Partner Pedestal 338B in the Security Section. For the CSA conference we’ll be at table 10. Hope to see you there!

August 16th, 2011

The Cloud Security Alliance Introduces The Security, Trust and Assurance Registry

As a vendor of security products, I see a lot of Requests for Proposal (RFPs). More often than not these consist of an Excel spreadsheet with dozens—sometimes even hundreds—of questions ranging from how our products address business concerns to security minutia that only a high-geek can understand. RFPs are a lot of work for any vendor to respond to, but they are an important part of the selling process and we always take them seriously. RFPs are also a tremendous amount of work for the customer to prepare, so it’s not surprising that they vary greatly in sophistication. I’ve always thought it would be nice if the SOA gateway space had a standardized set of basic questions that focused vendors and customers on the things that matter most in Governance, Risk and Compliance (GRC). In the cloud space, such a framework now exists. The Cloud Security Alliance (CSA) has introduced the Security, Trust and Assurance Registry (STAR), which is a series of questions designed to document the security controls a cloud provider has in place. IaaS, PaaS and SaaS cloud providers will self-assess their status and publish the results in the CSA’s centralized registry. Providers report on their compliance with CSA best practices in two different ways. From the CSA STAR announcement:
1. The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire. 2. The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
The spreadsheets cover eleven control areas, each subdivided into a number of distinct control specifications. The control areas are:
  1. Compliance
  2. Data Governance
  3. Facility Security
  4. Human Resources
  5. Information Security
  6. Legal
  7. Operations Management
  8. Risk Management
  9. Release Management
  10. Resiliency
  11. Security Architecture
The CSA hopes that STAR will help to shorten purchasing cycles for cloud services because the assessment addresses many of the security concerns that users have today with the cloud. As with any benchmark, over time vendors will refine their product to do well against the test—and as with many benchmarks, this may be to the detriment of other important indicators. But this set of controls has been well thought through by the security professionals in the CSA community, so cramming for this test will be a positive step for security in the cloud.